[Cryptech Tech] Incremental digest outputs
Rob Austein
sra at hactrn.net
Sun Nov 16 02:56:04 UTC 2014
Something I intended to mention while I was doing the prototype HAL
for the digest cores: unless I'm missing something, our digest cores
don't support incremental digest results. That is, we support doing
things like:
context = SHAxxxInit()
context.addData(foo)
result = context.finalize()
and
context = SHAxxxInit()
context.addData(foo)
context.addData(bar)
result = context.finalize()
but we don't support doing things like:
context = SHAxxxInit()
context.addData(foo)
result1 = context.finalize()
context.addData(bar)
result2 = context.finalize()
In case the notation isn't clear: this is just an efficiency hack to
avoid hashing foo twice if one needs to calculate both H(foo) and
H(foo | bar) (and H(foo | bar | baz), et cetera ad nausium). As
shown, it's silly, but if foo is a lot of data, the overhead of
hashing it twice might matter.
Not sure how useful this unsupported sequence really is, but I've seen
several software implementations seem to provide for it in their APIs.
Never seen it used.
The problem in terms of doing this with our current digest cores is
that one would need to roll the digest core's state back to where it
was before adding the final padding. If there's an obvious way to do
that, I missed it. One can of course hack around this in software,
(not recommended if you've eaten recently).
Not sure we care. If we do care, we may want to think about whether
we expect this to be a common operation that we need to support in
Verilog. I suspect not, but would rather make an explicit decision
not to support this than do so by accident.
More information about the Tech
mailing list